[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: The New Security Build Infrastructure

* Scott James Remnant (scott@netsplit.com) wrote:
> If there's a potential exploit for a server, I want to know about it as
> soon as the developers do so I can shut down that server until they come
> up with a fixed version.
> Just because there isn't a fixed version yet, does not mean that there
> isn't a fairly knowledgeable hacker who's managed to exploit it.

The options go like this:
a) Get notification early of the problem, get time to fix it and ready a
   new package.
b) Don't get notification until it's made public and have to scramble to
   get a fix in ASAP because the problem is public.

It's pretty simple really.  You're going to find out at the same time
either way, it's just that in the first case there will be a package
ready when you find out and in the second case there won't be and you'll
have to wait for one.

So, which would you prefer, for there to be a package ready when you
find out, or for there to not be one?


Attachment: pgph9P0_4ITPY.pgp
Description: PGP signature

Reply to: